“If I were to remain silent, I'd be guilty of complicity.” - Einstein

The Identity Theft Resource Center (“ITRC”) issued its end of year press release today. Not surprisingly, the number of breaches reported in 2008 was up significantly from 2007, with their counter hitting 656 U.S. breaches for the year, an increase of 47% over last year’s total of 446 breaches in their database.Â Some of the reported increase may be due to states implementing new reporting requirements, and some may be due to the Maryland Attorney General’s office making its central registry of breach reports available online, but even after taking the latter into account, there is still a significant increase from 2007 to 2008.

According to the ITRC’s analyses, the financial, banking and credit industries

have remained the most proactive groups in terms of data protection over all three years. The Government/Military category has dropped nearly 50% since 2006, moving from the highest number of breaches to the third highest.

The business sector accounted for over one third of the breaches in their 2008 database:

2008 – # of Breaches

2008

2007

2006

Business

240

36.6%

28.9%

21%

Educational

131

20%

24.8%

28%

Government/Military

110

16.8%

24.6%

30%

Health/Medical

97

14.8%

14.6%

13%

Financial/Credit

78

11.9%

7%

8%

The ITRC also analyzed cause of breach for those reports that indicated causes:

Mal-attacks, hacking and insider theft, account for 29.6% of those breaches that reported the causal factor. Insider theft, now at 15.7%, has more than doubled between 2007 and 2008. On the other hand, data on the move and accidental exposure, both human error categories, showed noteworthy improvement, but still account for 35.2% of those breaches that indicate cause.

But did breaches in the educational sector actually decrease or did they just account for a smaller percent of all increases? And did businesses account for a greater percent of breaches because they experienced a relatively greater number of increases in that sector or is their relative percentage greater because some other sectors dropped significantly?

Because I find limited value in looking at percent of total breaches by sector, I looked at some of their data using simple frequency counts. For 2008 vs. 2007:

2008

2007

Business Sector

240

129

Educational

131

111

Government/Military

110

110

Health/Medical

97

65

Financial Credit

78

31

Whereas ITRC’s analysis might lead to the conclusion that the financial section is the most proactive sector because they represent less than 12% of all breaches, inspection of the raw frequency data suggests a somewhat different picture:Â reported breaches increased over 250% from 2007 to 2008. That trend indicates that security in the financial sector is not keeping pace with previous threats and new threats to data security.

In interpreting ITRC’s data, then, and in addition to all of the cautions and qualifiers they appropriately include, we also need to keep other factors in mind, not the least of which is that when Massachusetts analyzed its breach reports for the first 10 months after its law went into effect, 75% of the reported breaches were from the financial sector, a statistic that does not seem to “fit” with what ITRC found based on published media reports or those reports available on a few states attorney general web sites.

Trying to compare sectors or breach types as percentage of total breaches in the sample is fraught with qualifiers because the sectors are not equally represented in the population. If businesses account for 36.6% of all breaches in the sample, we really cannot conclude anything meaningful from that without knowing how many businesses there are, total, that might be subject to breach reporting so that we can compare that to how many financial entities there are that would be subjected to reporting laws, how many educational institutions, etc. Inter-sector comparisons may not be as valid as intra-sector comparisons from year to year.

Similarly, saying that a sector decreased from one year to the next in terms of percent of total breaches may provide a misleading impression in the absence of additional data. Did their relative contribution change because all of the other sectors experienced significant increases or decreases, or did their relative contribution change because their rate of breaches changed when other sectors did not change — or some combination of the above?

Perhaps we should be asking what the military/government sector did right this year, as their reported number of breaches remained the same while all other sectors increased.

In any event, although the overall totals increased 47% in 2008, the fact that financial sector incidents more than doubled and business sector incidents nearly doubled are grim predictors for 2009.

None of the above comments should be construed as any criticism of ITRC, who has done an outstanding job trying to keep track of the many breaches that are reported each year.Â If anything, the criticisms are a reflection of the continuing frustration of trying to make sense of data when we do not have random, equal, or representative samples.Â Making any sense of breach data continues to be like comparing apples, oranges, and Fruit Loops.

Hopefully, the FOI project that is under way will provide us with more data that will help us get a clearer picture of what is going on, although given the differences in state reporting laws, there will always be questions.

i went through i t r c when my identitiy was stolen and used for criminal reasons…they dropped the ball and after my case worker left, my case set for two months without any contact from anyone letting me know what was going on. if this is how they run a company how are they helping anyone….i have requested that my complete file be returned to me and i am also filing a complaint with the FTC. if you are in a business to hel someone, do no leave them hanging with something this important going on. they act as if criminal identity theft is no big deal. i having been working on this for over 10 years with three different states and got more done that they even thought about doing.

Three states? Ten years? Sounds awful. If you’d like to share more about how you wound up in this predicament, feel free to email me or post here. Perhaps your experience can help others who find themselves in a similar situation. Do you have any tips or guidance for people who find themselves the victims of criminal identity theft?

I don’t know what happened to you with ITRC, and cannot really comment on that because my dealings with them — which have been uniformly positive — have only dealt with their breach list and stats.

I outed TD Ameritrade for the breach by which the Social Security Numbers of all 6.3 million AMTD customers were compromised and helped prove that known criminals had gained access to the database they were in.

I called and left a message with ITRC’s Linda Foley about it Jun 16 ’08 but never heard back.

The crux of the matter may be that while TD Ameritrades admits that a breach occurred and the breached database contained unencrypted social security numbers, and data was removed by (and therefore exposed to) attackers, they both don’t admit to and don’t deny the removal of the SSNs from the database. They can avoid doing so because the SSNs were not trackable, while the stolen email addresses were trackable, so the theft of the latter is undeniable. Essentially, TD Ameritrade is claiming that masked bandits left a bank with bulging bags, but didn’t take any money.

ITRC’s criteria use the word “exposed” not stolen, so they should include the breach in their statistics.

I recognize your name as the lead plaintiff on the lawsuit against TD Ameritrade.

TD Ameritrade acknowledged that the SSN were in the same database as the acquired data, so I understand your point. And I agree with you that SSN were compromised — by my definition of compromised.

But — like the ITRC, the Privacy Rights Clearinghouse did not count the TD Ameritrade incident in their statistics. They listed it but didn’t count it. They report: “Not added to total. It does not appear that SSNs or financial account numbers were exposed.”

PRC’s criteria state, “The data breaches noted below have been reported because the personal information compromised includes data elements useful to identity thieves, such as Social Security numbers, account numbers, and driver’s license numbers. Some breaches that do NOT expose such sensitive information have been included in order to underscore the variety and frequency of data breaches. However, we have not included the number of records involved in such breaches in the total because we want this compilation to reflect breaches that expose individuals to identity theft as well as breaches that qualify for disclosure under state laws. ”

So there you have two databases both oriented more exlcusively to ID theft, and neither one included the incident in their statistics.

PogoWasRight.org, PHIprivacy.net, and now DataBreaches.net consistently report more incidents than are included in any of the big databases. I can lead database horses to water. I can’t determine their inclusion criteria or whether they bother to use my site to find items to include in their databases. All I can say — and repeatedly do say — is that they are underestimating the true extent of breaches, which they already know.

Search

Search for:

Welcome

This is my personal blog where I blog about privacy, issues in psychology that are of interest to me, and pretty much whatever's on my mind.

If you are looking for privacy news, you'll find it at the "mother ship," PogoWasRight.org. And if you're looking for even more on medical or health privacy breaches, see the Healthcare section of my other site, DataBreaches.net.